How to Perform a Security Audit on Your Website

Share

(Last Updated On: September 6, 2019)

With all that goes into maintaining an online presence, security isn’t something that we always think about, but it definitely deserves consideration these days. Website hacks and cyberattacks happen all the time, and almost all of them are preventable.

In this article, we’ll take a look at what you can do to keep your website safe, and you won’t have to hire a security professional to do it. There are some basic steps you can follow that will make your website more secure and much less likely to be successfully attacked.

We’ll start with the basics and work our way up to more advanced security measures, but all of these steps are easy to accomplish.

Make a Website Audit Checklist

Whenever you take on a serious task, it’s a good idea to make a checklist, and the task of securing your website is no exception. Each of the suggestions in this article is an item that belongs on your website security checklist. After you create one, that checklist can be your guide every time you perform a security audit on your website.

You won’t have to do a deep audit every time you assess your website security, but it is recommended that you do as thorough a job as possible for your first one.

Now let’s take a look at what you should include on your website security audit checklist.

Start with Some Basic CMS Settings

Your content management system (CMS) is the heart of your website. Via its login portal, you can do anything with your website, from posting and removing content, to taking the site offline. You definitely do not want unauthorized users logging in here, so this is the logical place to start implementing security measures.

Here are some of the most important things to check first.

User settings: This is a big one. If you have any users enabled on your CMS platform that are not needed, it’s good security practice to disable them. If there are any default users, like the admin account, then you must make sure the default passwords are changed.

In addition to setting a strong password, it’s a good idea to change the username for your admin account to the one that you will remember, like a variation of your own name that would be hard to guess. That way, the default credentials will be useless, and both the admin username and password will be hard for hackers to guess.

Comment settings: You need to be careful about the user input that’s being handled by your website. Giving anonymous users access to comment on your site is not advised, as people that are not accountable for their actions will generally post less than flattering comments. Bots are another issue, as hackers can use them to flood your comments section with spam.

General visibility of information: You shouldn’t expose any information about the backend of your website. Attackers will try to probe your installation to find attack vectors and tools that they can use against your site.

Even knowing what version of the software and plugins you’re running can give attackers a way in. The general rule of thumb here is, you don’t want anyone to see anything except the content that you intend for your users.

Input Validation: Any place on your website that accepts user input needs to have decent input validation. That’s anything that filters or inhibits the entry of specific characters and keystrokes. SQL injection attacks are able to fool your system into executing SQL queries by adding in special characters.

This tricks your website into running queries that it thinks are coming from a validated user. Updating your CMS will generally stop this kind of attack, but if you’re using any custom web apps or plugins, you need to be aware of the current security implications of each one.

Review How Your Permissions Are Defined

It’s crucial to your website security that you carefully manage its file and folder permissions. Whenever you need to update content on your website, your web server validates the access privileges of the user attempting to make changes. If that user has access and the relevant permissions, then changes can be made. This is why the user settings that we mentioned earlier are so important. When you run a user permissions audit, you can check out file access, user access, and more.

The main permissions settings to be aware of are:

User Permissions: Each user that is set up in your CMS needs to have specific attributes and permissions assigned to them. In the field of Information Security, there’s something known as the principle of least privilege, and it’s especially useful for these kinds of settings.

Standard users should have access only to things that will enhance their experience on your website, which makes sense because the site is for them. Only authorized users should have access to change anything.

Owner, Group, or Public: Managing users means that you need to categorize them and put them into the appropriate groups. Each group offers a different level of access. Owners have Read and Write access to the contents of the website, which means they can create and delete files at will. Public access is generally locked down and allows only Read access.

Read, Write, or Execute: These are file permissions, and they determine if a file can be opened and read or changed. If a user has Execute permissions, they are able to install applications and plugins. Standard users should not have this level of access.

Follow CMS Best Practices

If you’re administering your own website, then you should be familiar with the best practices of your particular CMS. Each CMS such as WordPress or Joomla will have release notes and advisories listed on their websites, so be sure to check in regularly.

Below are some common sense items, but you might not have thought to check them. You can add these to your checklist to help ensure that your CMS is locked down and secure.

Make sure your CMS is updated: This sounds pretty basic, especially since most CMS installations will notify you when an update becomes available. However, not everyone assigns top priority to the installation of a CMS update, so a live website can end up having an outdated CMS running its backend.

The prospect of upgrading your CMS can trigger concerns about the compatibility of your plugins and applications, which is why the task is so often deferred, but that’s not a good enough reason to let your CMS get out of date.

Make sure your plugins are updated: If the developers of your plugins have identified any security-related fixes in their latest updates, then you need to update those plugins as soon as possible.

Install some security plugins: There are plenty of great plugins out there that will help you secure your website. Everything from intrusion detection to tools that handle security monitoring and alerts can be installed on your website, and those things can make it that much more secure.

Create a test environment: If you’re not sure about a new update, it’s always a good idea to test it out first. Make a backup of your website and restore it on a local PC. Then you can test all of your website’s features without interrupting your site’s availability. Once you’re satisfied that nothing is broken after the update, you can move forward with applying the changes to your live website.

Backup your website before every major change: If you need to update any key elements of your website during the course of your security audit, make sure that a backup of your website is created at each step of the process. If you discover any strange behavior later on, at least you’ll have a complete backup of your website in each state before the updates.

Think “ACB”—Always Create Backups!

If you can count on anything, it’s that the one time you forget to make a backup will be the time that you need to restore from one. It’s smart to avoid that scenario by always backing up your data.

There are many ways you can back up your website and the supporting databases and files that are needed to make your site operate properly. Here are the most important considerations when defining a plan for regularly backing up your website.

Have multiple backup locations and methods: If you make a backup but don’t download it from your web server, then you don’t have a way to restore your website if something happens to that web server. If you’re using a big provider, they may have redundancy and large-scale disaster recovery that will protect you, but things happen. Earthquakes, floods, storms, and other natural phenomena have the potential to destroy infrastructure and data centers.

Make sure that you have a backup saved and kept somewhere safe, such as a physical medium like a CD or flash drive. Cloud providers also offer a safe place to store your data, but again, there is always the potential for regional outages that might make accessing cloud services impossible.

Automate and schedule your backups: Nobody wants to run backups, because it’s a chore. Luckily, there are many ways that you can set up automated backups. There are commercial products and plugins that you can install directly into your CMS, or you can write your own scripts if you have the time and the skills.

Plan for failure: The key to any successful information security strategy is to act as if a negative event is not only possible but that it’s a certainty. By thinking this way, you’re able to plan for any eventuality. If a database can become corrupted, then back it up. If you could get locked out of your CMS, then find out how to unlock your account. Remember that in IT, anything that can go wrong will go wrong.

Test your backups regularly: Restoring backups to a test machine on your local computer is a good habit to get into, especially before and after updates to your CMS or web server. The last thing that you want is a corrupt or damaged backup preventing you from getting your site up and running again.

More Security Checklist Items

We could go on for many more pages about website security, but we’re focusing mostly on the basics. Before we leave you, here are just a few more items you may want to add to your security audit to-do list.

Disable directory browsing: This is done by default, but there are things that can cause directory browsing to become activated. Put it on your checklist as something to look at periodically, in case an update inadvertently activates the feature. You really don’t need any curious users browsing the file structure of your webserver.

Disable image hotlinking: Again, most modern CMS packages prevent this behavior by default, but it doesn’t hurt to check it from time to time to ensure that hotlinking hasn’t been enabled. Image hotlinking eats away at your website’s precious bandwidth and system resources, because you carry the overhead of hosting for someone else’s links.

Install an SSL certificate: This has become a necessity in 2019, as encryption is virtually required for all public internet communication. In order to properly mask the data going in and out of your website, you need to have an SSL certificate loaded on your site and registered. Most modern browsers will give your visitors a nasty message about your website missing a certificate, which could chase them away, so you should consider SSL a necessity.

Use password best practices: Attackers that want to illegally gain access to your website will use many different attack methods. If they manage to access certain systems information, then they can run advanced hash-based attacks on your saved password hashes. If your maximum login limits are not set, hackers can employ automated dictionary attacks or brute-force attacks. In addition to the security plugins, you should use two-factor authentication for your main administrator login, and, really, for all your user accounts.

Use SSH or Secure File Transfer Protocol: A lot of people don’t realize that FTP is unencrypted, so if you have the option to not use it, don’t!

Refer to Your Security Audit Checklist Regularly

Security auditing is an ongoing task that needs to become part of your normal website maintenance. Remember that your subsequent audits will not have to be as thorough as your initial one. Your auditing checklist is a living document that should change with your security requirements.

Post Tags:

María Bustillos

María is an enthusiast of cinema, literature and digital communication. As Content Coordinator at HostPapa, she focuses on the publication of content for the blog and social networks, organizing the translations, as well as writing and editing articles for the KB.